Re: BGP question from Alexei Monastyrnyi on 2009-09-09 (Ccielab archives 09/2009)

From: Alexei Monastyrnyi <alexeim73_at_gmail.com>
Date: Wed, 9 Sep 2009 13:55:37 +1000

Just to create more confusion. :-) Well, there are two sides of BGP
notification messages, sent and received.

If say R4 (IP 14.14.14.4) GETS a message:

%BGP-3-NOTIFICATION: received from neighbor 14.14.14.1 2/2 (peer in wrong
AS) 2 bytes 03E8

this means R4 sits in AS 1000 = 0x03EB, i.e. it has a "router bgp 1000" (or
BGP confederation ID 1000 towards non-confed routers or local-as
manipulations for that matter) and it's neighbor 14.14.14.1 (R1) has a
"remote-as XYZ" different from 1000. This doesn't say us which AS R1 sits
in. Nor does it say which XYZ R1 has for R4.

On the other side, if R4 (IP 14.14.14.4) SENDS a message:

04:05:32: %BGP-3-NOTIFICATION: sent to neighbor 14.14.14.1 2/2 (peer in
wrong AS) 2 bytes 0001
FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF 002D 0104 0001 00B4 0101 0101 1002
0601 0400 0100 0102 0280 0002 0202 00

this means that in R4 "remote-as ABC" for neighbor 14.14.14.1 ABC value is
different from R1's "router bgp NNN" which in this case is "router bgp 1" =
0x0001.

In second case we do see on R4 what remote system AS number is. As per
Bryans post, R1 sends it's AS 0001 but R4 believes that R1 is in some other
AS so it sends a message to R1 (and to R4 console) where we actually see
which AS R1 is in.

Conclusion would be one can derive AS number participating in router
bgp/confed-id/local-as-manipulation from notification messages, but AS
number configured in "neighbor x.x.x.x remore-as NNN" cannot be traced.

HTH

2009/9/9 Bryan Bartik <bbartik_at_ipexpert.com>

> Remember the BGP Open message only contains the "My AS" field not "Your AS"
> so even a detailed packet capture would not help. In addition the
> notification message only contains the actual AS you have configured, not
> the one the BB router thinks you are in.
>
> On Tue, Sep 8, 2009 at 2:53 AM, Tolulope Ogunsina <togunsina_at_gmail.com
> >wrote:
>
> > Hello,
> > No you CANT.
> > You can figure out the neighbor's AS (as Gaurav mentioned), but you
> > CANNOT figure out the AS that the neighbor has configured you in.
> > Please search the archives, this has been discussed in detail.
> >
> > HTH,
> >
> > On 9/8/09, GAURAV MADAN <gauravmadan1177_at_gmail.com> wrote:
> > > Router 1
> > > =======
> > >
> > > do sh run | sec router bgp
> > > router bgp 100
> > > no synchronization
> > > bgp log-neighbor-changes
> > > neighbor 1.0.0.2 remote-as 100
> > > no auto-summary
> > >
> > > Router 2
> > > ==========
> > >
> > > router bgp 200
> > > no synchronization
> > > bgp log-neighbor-changes
> > > neighbor 1.0.0.1 remote-as 100
> > > no auto-summary
> > >
> > >
> > > On R1 ; you will get logs like :
> > >
> > > ent
> > > *Sep 8 07:07:58.483: %BGP-3-NOTIFICATION: sent to neighbor 1.0.0.2
> > > active 2/2 (peer in wrong AS) 2 bytes 00C8
> > > *Sep 8 07:07:58.483: %BGP-4-MSGDUMP: unsupported or mal-formatted
> > > message received from 1.0.0.2:
> > > FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF 003A 0104 00C8 00B4 1E00 0001
> > 1D02
> > > 0601
> > > 0400 0100 0102 0280 0002 0202 0002 0383 0100 0206 4104 0000 00C8
> > > *Sep 8 07:07:58.487: %BGP_SESSION-5-ADJCHANGE: neighbor 1.0.0.2 IPv4
> > > Unicast topology base removed from session BGP Notification sent
> > >
> > >
> > > 00C8 in hexa is 200 in decimal .
> > > Thats the clue what the peer's AS is
> > >
> > > HTH
> > > Gaurav Madan
> > > CCIE
> > >
> > > On Tue, Sep 8, 2009 at 11:45 AM, omar maiah<omar.maiah_at_gmail.com>
> wrote:
> > >> Hi,
> > >>
> > >> Is there anyway to figure out what AS an EBGP peer has configured me
> in
> > ?
> > >>
> > >> Regards
> > >>
> > >> --
> > >> Regards
> > >> Omar
> > >>
> > >>
> > >> Blogs and organic groups at http://www.ccie.net
> > >>
> > >>
> _______________________________________________________________________
> > >> Subscription information may be found at:
> > >> http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> > > Blogs and organic groups at http://www.ccie.net
> > >
> > > _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> >
> >
> > --
> > Best Regards,
> >
> > Tolulope.
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >
> >
> >
> >
> >
> >
>
>
> --
> Bryan Bartik
> CCIE #23707 (R&S), CCNP
> Sr. Support Engineer - IPexpert, Inc.
> URL: http://www.IPexpert.com <http://www.ipexpert.com/>
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Wed Sep 09 2009 - 13:55:37 ART

This archive was generated by hypermail 2.2.0 : Sun Oct 04 2009 - 07:42:03 ART